From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5A70221191750 for ; Thu, 15 Nov 2018 20:40:48 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Nov 2018 20:40:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,239,1539673200"; d="scan'208";a="108726899" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga001.jf.intel.com with ESMTP; 15 Nov 2018 20:40:47 -0800 Received: from fmsmsx118.amr.corp.intel.com (10.18.116.18) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 15 Nov 2018 20:40:46 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx118.amr.corp.intel.com (10.18.116.18) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 15 Nov 2018 20:40:46 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.84]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.102]) with mapi id 14.03.0415.000; Fri, 16 Nov 2018 12:40:44 +0800 From: "Zeng, Star" To: "Wu, Hao A" , "edk2-devel@lists.01.org" CC: "Wu, Hao A" , Laszlo Ersek , "Yao, Jiewen" , "Zeng, Star" Thread-Topic: [edk2] [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass Thread-Index: AQHUfWKogbhNkFy6ckONTsy8NAEOd6VR0jQg Date: Fri, 16 Nov 2018 04:40:44 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB048310401F21A9@shsmsx102.ccr.corp.intel.com> References: <20181116041242.37604-1-hao.a.wu@intel.com> <20181116041242.37604-2-hao.a.wu@intel.com> In-Reply-To: <20181116041242.37604-2-hao.a.wu@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNjFlMWFiY2MtNzM4Mi00N2VmLWI5MTMtNjU5YWY0NzYwZTBjIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiOG5VaXpDOE9xUzVveU9MdFVFRDZuc25CXC9MRXZZeTlDNzhXTDhHeldieXd2OVFKUGtnOG5HeHo4enhYOHFcL0JKIn0= dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2018 04:40:48 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Star Zeng -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Hao = Wu Sent: Friday, November 16, 2018 12:13 PM To: edk2-devel@lists.01.org Cc: Wu, Hao A ; Laszlo Ersek ; Yao, = Jiewen ; Zeng, Star Subject: [edk2] [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753]= Fix bounds check bypass REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1194 Speculative execution is used by processor to avoid having to wait for data= to arrive from memory, or for previous operations to finish, the processor= may speculate as to what will be executed. If the speculation is incorrect, the speculatively executed instructions mi= ght leave hints such as which memory locations have been brought into cache= . Malicious actors can use the bounds check bypass method (code gadgets wit= h controlled external inputs) to infer data values that have been used in s= peculative operations to reveal secrets which should not otherwise be acces= sed. This commit will focus on the SMI handler(s) registered within the SmmCoreP= erformanceLib and insert AsmLfence API to mitigate the bounds check bypass = issue. For SMI handler SmmPerformanceHandlerEx(): Under "case SMM_PERF_FUNCTION_GET_GAUGE_DATA :", 'SmmPerfCommData->LogEntry= Key' can be a potential cross boundary access of the 'CommBuffer' (controll= ed external inputs) during speculative execution. This cross boundary acces= s is then assign to parameter 'LogEntryKey'. And the value of 'LogEntryKey'= can be inferred by code: CopyMem ( (UINT8 *) &GaugeDataEx[Index], (UINT8 *) &GaugeEntryExArray[LogEntryKey++], sizeof (GAUGE_DATA_ENTRY_EX) ); One can observe which part of the content within 'GaugeEntryExArray' was br= ought into cache to possibly reveal the value of 'LogEntryKey'. Hence, this commit adds a AsmLfence() after the boundary/range checks of 'C= ommBuffer' to prevent the speculative execution. And there is 1 similar case for SMI handler SmmPerformanceHandler() as well= . This commit also handles it. A more detailed explanation of the purpose of commit is under the 'Bounds c= heck bypass mitigation' section of the below link: https://software.intel.com/security-software-guidance/insights/host-firmwar= e-speculative-execution-side-channel-mitigation And the document at: https://software.intel.com/security-software-guidance/api-app/sites/default= /files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf Cc: Star Zeng Cc: Jiewen Yao Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c | 16 ++= +++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceL= ib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c index cd1f1a5d5f..63c1eea3a2 100644 --- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c @@ -16,7 +16,7 @@ =20 SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted= input and do basic validation. =20 -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -538,6 +53= 8,13 @@ SmmPerformanceHandlerEx ( break; } =20 + // + // The AsmLfence() call here is to ensure the previous range/conten= t + // checks for the CommBuffer have been completed before calling + // CopyMem(). + // + AsmLfence (); + GaugeEntryExArray =3D (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); =20 for (Index =3D 0; Index < NumberOfEntries; Index++) { @@ -650,6 +65= 7,13 @@ SmmPerformanceHandler ( break; } =20 + // + // The AsmLfence() call here is to ensure the previous range/conten= t + // checks for the CommBuffer have been completed before calling + // CopyMem(). + // + AsmLfence (); + GaugeEntryExArray =3D (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); =20 for (Index =3D 0; Index < NumberOfEntries; Index++) { -- 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel